CISA and the FDA are warning that Contec CMS8000 and Epsimed MN-120 patient monitors are open to meddling and data theft; Claroty Team82 flagged the vulnerability as an avoidable insecure design issue.

Source: BMumin Mutlu via Alamy Stock Photo

Last week, the Cybersecurity and Infrastructure Security Agency (CISA), alongside the US Food and Drug Administration (FDA), raised an alert for Contec CMS8000 and Epsimed MN-120 healthcare monitors, warning they potentially put patients at risk once connected to the Internet, due to a malicious, hidden backdoor embedded into the devices. But security researchers say the issue isn't actually intentional malware but, rather, just insecure design.

The devices continuously monitor patient vital signs, such as heart rate, blood oxygen saturation, temperature, respiration rate, and more. CISA and the FDA reported findings for three cybersecurity risks in the gear thanks to the "backdoor": an unauthorized user could remotely control a monitor and cause it to function in an unintended manner; attackers could compromise the device and pivot to a network; and an attacker could exfiltrate the data that the monitor collects. 

From a patient health perspective, if an attacker were able to manipulate the information the monitor gives patients, that could prevent them from realizing that there's something wrong. Though they reported no known cybersecurity incidents, deaths, or injuries related to the findings, the FDA still provided recommendations for patients and caregivers: talking to healthcare providers about evaluating their patient monitoring device and following certain steps if it does rely on an Internet connection.

Related:The Cyber Savanna: A Rigged Race You Can't Win, but Must Run Anyway

The FDA also tasked healthcare providers with checking their patients' Contec CMS8000 or Epsimed MN-120 patient monitors to determine if they have been functioning unusually.

**Patient Monitor Cyber Bug: Not Malicious, Just Problematic**

After learning of the alerts, Claroty's Team82 investigated the firmware and reached a different conclusion from CISA and the FDA: It is likely not a hidden backdoor that makes these devices a liability to patients and their medical information, but rather an insecure design that creates a vulnerability open for exploit by threat actors.

The researchers pointed out that the vendors, and any resellers interested in relabeling and selling the monitor publicly, list the IP address on the instruction manuals.

"The CONTEC operator manual specifically mentions this 'hard-coded' IP address as the central management system (CMS) IP address that organizations should use, so it is not hidden functionally as stated by CISA," wrote the Team82 researchers. "This nuance is important because it demonstrates a lack of malicious intent and therefore changes the prioritization of remediation activities."

Related:How Are Modern Fraud Groups Using GenAI and Deepfakes?

The vulnerability still poses real-world consequences, but Noam Moshe, a Team82 researcher, notes that a threat actor would first require knowledge of the device's architecture and protocols. 

"To gain code execution, first the device needs to be put on a system-upgrade process," says Moshe. "From our research, this requires physical access to the device."

After that though, the hardcoded nature of the IP address opens the door to easier exploitation.

"To exploit this vulnerability, an attacker would need to serve devices with malicious binaries on the hardcoded public IP address, giving them code execution on the device," Moshe says. "In the case of the device trying to send personally identifiable information (PII) or personal health information (PHI) to the hardcoded IP address, using the HL7 protocol, this could occur if a certain feature of the device would be enabled."

**Healthcare Devices: Monitoring the Threat**

Perhaps exploitation of this particular vulnerability doesn't seem all that likely, but medical devices have been a point of cyber contention for years.

All the way back in 2011 for instance, Jay Radcliffe took to the Black Hat USA stage to show the audience how insulin pumps like the one he wore could be hacked, in a presentation entitled "Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System."

Related:Backline Tackles Enterprise Security Backlogs With AI

And as healthcare institutions are ravaged by ransomware attacks compromising their resources and putting patient lives at risk, many medical devices still haven't caught up when it comes to bolstering cybersecurity guardrails. Specifically, many of them are aging and running legacy software that hasn't been updated in years, offering plenty of holes for attackers.

However, agencies like the FDA are pushing companies to make strides, such as in 2023 when it began to reject medical devices that don't comply with recent cybersecurity regulation.

But there is still a long way to go: In 2024, researchers cited healthcare and the Internet of Medical Things (IoMT) as the riskiest device sector, even it did have the biggest decline overall in the number of risky devices deployed.

As for the patient monitor, Team82 researchers recommend that healthcare organizations take steps to protect patients, such blocking all access to the subnet from their internal network, and blocking devices attempting to upgrade firmware from a WAN server or potentially send PII.

"Hospitals should implement vulnerability detection and patching processes," Moshe says, "alongside network segmentation, driven by high-quality passive visibility that will ensure the most secure network layout."

Agencies Sound Alarm on Patient Monitors With Hardcoded Backdoor

Thorsten examines last year’s CVE list and compares it to recent Talos Incident Response trends. Plus, get all the details on the new vulnerabilities disclosed by Talos’ Vulnerability Research Team.

Thursday, February 6, 2025 14:03

> “Enough Ripples, And You Change The Tide. For The Future Is Never Truly Set.” X-Men: Days of Future Past

In January, I dedicated some time to examine threat data from 2024, comparing it with the previous years to identify anomalies, spikes, and changes.  

As anticipated, the number of Common Vulnerabilities and Exposures (CVEs) rose significantly, from 29,166 in 2023 to 40,289 in 2024, marking a substantial 38% increase. Interestingly, the severity levels of the CVEs remained centered around 7-8 for both years. 

When taking a closer look at the known exploited vulnerabilities reported by the Cybersecurity and Infrastructure Security Agency (CISA), I observed that the numbers remained relatively stable, with 186 in 2024 compared to 187 in 2023. However, there was a noteworthy 36% increase for the critical vulnerabilities scored (9-10).  

There is more to uncover from this data, and the analysis is still ongoing.  

It was also time to “stack” the data of our Quarterly Incident Response Reports. The standout aspects are the initial access vectors to me. "Exploiting Public Facing Applications" and "Valid Accounts" were dominant, outperforming other methods. This serves as a timely reminder to implement (proper) MFA and other identity and access control solutions as well as patch regularly and replace end-of-life assets. 

Reflecting on CVEs, patching, initial access vectors and also lateral movement, it's important to remember that the "free" support for Windows 10 will end on October 14, 2025.  

Mark.your.calendars. Please. And plan accordingly to ensure your systems remain secure.  

**The one big thing**

Cisco Talos’ Vulnerability Research team recently disclosed three vulnerabilities in Observium, three vulnerabilities in Offis, and four vulnerabilities in Whatsup Gold.   

**Why do I care?**

Observium and WhatsUp Gold can be categorized as Network Monitoring Systems (NMS). A NMS as such holds a lot of valuable information such as Network Topology, Device Inventory, Log Files, Configuration Data and more, making them an attractive for the bad guys. 

**So now what?**

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, make sure your installation is up to date. 

**Top security headlines of the week**

The Cybersecurity and Infrastructure Security Agency analyzed a patient monitor used by the Healthcare and Public Health sector and discovered an embedded backdoor. (CISA) 

Apple has released software updates to address several security flaws across its portfolio, including a zero-day vulnerability that it said has been exploited in the wild. (Hacker News) 

Nearly 100 journalists and other members of civil society using WhatsApp were targeted by a “zero-click” attack (Guardian) 

DeepSeek AI tools impersonated by infostealer malware on PyPI (Bleeping Computer) 

**Can't get enough Talos?**

*   Web shell frenzies, the first appearance of Interlock, and why hackers have the worst cybersecurity: IR Trends Q4 2024 
*   New TorNet backdoor seen in widespread campaign 

**Upcoming events where you can find Talos**

Talos team members: Martin LEE, Thorsten ROSENDAHL, Yuri KRAMARZ, Giannis TZIAKOURIS, and Vanja SVAJCER will be speaking at Cisco Live EMEA. Amsterdam, Netherlands, 9-14 February.   

S4x25 (February 10-12, 2025)  
Tampa, FL

RSA (April 28-May 1, 2025)  
San Francisco, CA

TIPS 2025 (May 14-15, 2025)  
Arlington, VA

**Most prevalent malware files from the week**

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

MD5: 2915b3f8b703eb744fc54c81f4a9c67f 

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

Typical Filename: VID001.exe 

Claimed Product: N/A 

Detection Name: Win.Worm.Coinminer::1201 

SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

MD5: 71fea034b422e4a17ebb06022532fdde 

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

Typical Filename: VID001.exe 

Claimed Product: n/a  

Detection Name: Coinminer:MBT.26mw.in14.Talos 

SHA256:873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f  

MD5: d86808f6e519b5ce79b83b99dfb9294d   

VirusTotal: 

https://www.virustotal.com/gui/file/873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f 

Typical Filename: n/a  

Claimed Product: n/a   

Detection Name: Win32.Trojan-Stealer.Petef.FPSKK8   

SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5   

MD5: ff1b6bb151cf9f671c929a4cbdb64d86   

VirusTotal: https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  

Typical Filename: endpoint.query   

Claimed Product: Endpoint-Collector   

Detection Name: W32.File.MalParent   

SHA 256: 744c5a6489370567fd8290f5ece7f2bff018f10d04ccf5b37b070e8ab99b3241 

MD5: a5e26a50bf48f2426b15b38e5894b189 

VirusTotal: https://www.virustotal.com/gui/file/744c5a6489370567fd8290f5ece7f2bff018f10d04ccf5b37b070e8ab99b3241 

Typical Filename: a5e26a50bf48f2426b15b38e5894b189.vir 

Claimed Product: N/A 

Detection Name: Win.Dropper.Generic::1201

Changing the tide: Reflections on threat data from 2024

New research highlights how bad actors could abuse deleted AWS S3 buckets to create all sorts of mayhem, including a SolarWinds-style supply chain attack.

Source: kovop via Shutterstock

Abandoned cloud storage buckets present a major, but largely overlooked, threat to Internet security, new research has shown.

The risks arise when bad actors discover and re-register these neglected digital repositories under their original name, and then use them to deliver malware or carry out other malicious actions against anyone still requesting files from them.

**A Far From Theoretical Threat**

The threat is far from theoretical, and the weakness is, in fact, incredibly easy to exploit, researchers from watchTowr discovered recently. The findings came as a follow-up to previous research they conducted last year on risks tied to expired and abandoned Internet domain names.

For the latest study, the researchers first searched the Internet for Amazon AWS S3 buckets referenced in deployment code or a software update mechanism. They then checked to see if those mechanisms were pulling down unsigned or unverified executables or code from the S3 buckets. The researchers discovered some 150 S3 buckets that at some time a government organization, Fortune 500 company, technology company, cybersecurity vendor or major open source project had used for software deployment, updates, configurations and similar purposes, and then abandoned.

To check what would happen, watchTowr registered the unused buckets using their original names for a total of around $400, and enabled logging on them to see who might request files from each S3 bucket. The company also wanted to find out what these users would request from the storage resources. To their surprise, in a two-month period, the S3 buckets received a staggering 8 million file requests, many of which the researchers could have very easily responded to with malware or some other malicious action.

Related:Name That Toon: Incentives

Among those requesting files from the abandoned S3 buckets were government agencies in the US, the UK, Australia, and other countries, Fortune 100 companies, a major payment card network, an industrial product company, global and regional banks, and cybersecurity companies.  

"We were not 'sniping' S3 buckets as they were deleted, nor employing any 'advanced' technique to register these S3 buckets," watchTowr researchers said in their report. "We just ... typed the name into the input box, and used the power of one finger to click register."

WatchTowr's analysis showed the S3 buckets receiving requests for a wide range of files, including software updates; unsigned Windows, Linux ad macOS binaries; virtual machine images; JavaScript files; SSL VPN configurations; and CloudFormation templates for defining and provisioning AWS cloud infrastructure services as code.

Related:Name That Toon: Meeting of Minds

Had the researchers wanted to, they could have trivially responded to any of these requests with things like a malicious software update, or a template that would have allowed them access to the requesting organization's AWS environment, or a backdoored virtual machine.

**A 'Terrifyingly Simple' Cloud Cyberattack Vector?**

"The main takeaway," says Benjamin Harris, CEO of watchTowr, "is the terrifyingly simple way by which hackers can create a major, SolarWinds-scale supply chain attack by abusing the relatively unknown vulnerability class of abandoned infrastructure."

While the study focused on AWS buckets, the same risks exist with any abandoned cloud storage resource that someone is able to find and re-register using the original name, according to watchTowr.   

"This is certainly not an AWS issue," Harris tells Dark Reading. "However, what is vital is that AWS customers understand that once a cloud resource is created, leveraged, and referenced in code — for example, in a software update process, or in a deployment manual or otherwise — that reference will exist forever," he says. The implications of that reference will survive in perpetuity as the watchTowr study showed, he cautions.

Related:New Essay Competition Explores AI's Role in Cybersecurity

According to Harris, watchTowr has tried to get AWS to stop allowing registration of S3 buckets under previously used names.

"We have repeatedly, like a broken record, shared our belief with the AWS teams that engaged with us that the most logical solution to the challenge here is to prevent the registration of S3 buckets using names that had been used previously," he says. This approach would entirely kill this vulnerability class — abandoned infrastructure — in the context of AWS S3 buckets.

"As always, there is likely an argument about the usability tradeoff, the ability to transfer S3 buckets between accounts, etc.," he adds. "But we do wonder if these requirements outweigh the impact we have demonstrated through our research."

**AWS Responds to Abandoned S3 Bucket Threat**

AWS itself quickly sinkholed the S3 buckets that watchTowr identified, so the attack scenarios the security vendor highlighted in its report won't work against the same resources, though the broader issue remains.

"The issues described in this blog occurred when customers deleted S3 buckets that were still being referenced by third-party applications," an AWS spokesperson tells Dark Reading. "After conducting their research without notifying AWS, watchTowr provided the bucket names to AWS, and to protect our customers, we blocked these specific buckets from being re-created."

A statement the person provided mentioned guidance that AWS has provided customers on best cloud bucket practices, and on using unique identifiers when creating bucket names to prevent unintended reuse. The company has also provided guidance on ensuring applications are properly configured to reference only customer-owned buckets, the statement said: "In 2020 we launched the bucket ownership condition feature and encouraged customers to use this mechanism, specifically designed to prevent unintended reuse of bucket names."

The statement went on to request that researchers engage with the company's security team before conducting research involving the company's services.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Abandoned AWS Cloud Storage: A Major Cyberattack Vector

Targets are lured into a fake interview process that convinces them to download malware needed for a virtual interview.

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

NEWS BRIEF

In a new patch for its on-device malware tool, Apple is pushing signature updates to XProtect in order to block variants of a malware belonging to what is known as the macOS Ferret family.

This malware has been identified as part of "Contagious Interview," a North Korean campaign involving threat actors luring in targets and convincing them to install malware onto their devices through a fake job interview process. The other variants in the campaign include: FROSTYFERRET\_UI, FRIENDLYFERRET\_SECD, and MULTI\_FROSTYFERRET\_CMDCODES.

The DPRK malware family was first detailed by researchers in December 2024 and again in January where, as part of the campaign, targets are asked to communicate with an "interviewee" through a link that requests to install a piece of software required for virtual meetings.

Once installed, it runs a malicious shell script and installs a persistence agent, as well as an executable impersonating a Google Chrome update. 

The Contagious Interview attack chains are designed to drop JavaScript-based malware "BeaverTail," which delivers a Python backdoor known as InvisibleFerret, and harvests sensitive data from Web browsers and crypto wallets.

And now researchers at SentinelOne are highlighting samples they're calling "FlexibleFerret" that went undetected by XProtect as of Feb. 3, suggesting that the threat actors are honing their tactics to evade detection. This component dates as far back as November 2023.

"In an example in late December, one 'commenter' left instructions leading to the download of Ferret family droppers," stated the SentinelOne researchers. "This suggests that the threat actors are happy to expand the vectors by which they deliver the malware beyond the specific targeting of job seekers to developers more generally."

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Ferret Malware Added to 'Contagious Interview' Campaign

N. Korean ‘FlexibleFerret’ malware targets macOS with fake Zoom apps, job scams, and bug report comments, deceiving users…

N. Korean ‘FlexibleFerret’ malware targets macOS with fake Zoom apps, job scams, and bug report comments, deceiving users into installation.

A new version of North Korean malware called ‘FlexibleFerret’ is making rounds, specifically targeting macOS devices and developers. This malware, linked to the ‘Contagious Interview’ campaign, uses tricky methods to infect systems, even disguising itself as legitimate software.

****The ‘Contagious Interview’ Trick****

The campaign begins with a **social engineering tactic**. Hackers lure their targets, often job seekers, into downloading malware through fake job interview processes. They send a link that appears to require a software update, like a fake virtual meeting application.

It is worth noting that the ‘Ferret’ malware family was originally discovered in September 2024 targeting Blockchain professionals with fake video conferencing and job scams. The latest variant, ‘FlexibleFerret,’ was discovered by SentinelLabs, and shows that hackers constantly change their methods to avoid detection.

Interestingly, Apple recently strengthened its XProtect security tool to deal with threats like “Ferret,” and other macOS malware. However, despite new security protocols, according to SentinelLabs’ **blog post** shared with Hackread.com, FlexibleFerret remained undetected, at least initially.

****How FlexibleFerret Works****

‘FlexibleFerret’ uses a dropper, which is essentially a package that installs the malware onto the system. This particular dropper contains several components, including fake applications and scripts.

After installation, the malware begins executing several malicious actions. It places and runs hidden components in the computer’s temporary folders, ensuring its presence remains unnoticed. At the same time, it creates a **fake Zoom application** that secretly connects to a suspicious domain.

To further trick victims, it displays a fake error message, making it seem like the installation failed while actually continuing to install itself in the background. Once embedded, it establishes persistence, allowing it to automatically run even after the system is restarted.

****A Signed Threat Against Job Seekers and Developers****

Unlike some older versions, ‘FlexibleFerret’ was initially signed with a valid Apple Developer signature. This helped it bypass some security checks, making it appear more legitimate. Security experts used this signature to discover even more related malware samples. That certificate has since been revoked, but a trail of other signed files has turned up.

The hackers behind ‘FlexibleFerret’ aren’t just focusing on job seekers anymore. They’re also targeting developers directly, using **fake bug reports or comments** on websites like GitHub to trick them into downloading the malware.

A threat actor tricking users into installing FlexibleFerret malware (Via SentinelLabs)

****Links to ChromeUpdate Malware****

FlexibleFerret includes a binary labeled “Mac-Installer.InstallerAlert,” which strongly matches code previously spotted in “**ChromeUpdate**,” an older piece of malware involved in these job interview lures. While Apple’s updated rules catch ChromeUpdate, they currently overlook this newer malware, indicating that attackers have changed minor elements to sneak past protections.

> _“The ‘Contagious Interview’ campaign and the FERRET family of malware represent an ongoing and active campaign, with threat actors pivoting from signed applications to functionally similar unsigned versions as required.”_
> 
>   
> SentinelLabs

1.  **Feds Bust N. Korean Identity Theft Ring Targeting US Firms**
2.  **Hackers used fake job website to scam jobless US veterans**
3.  **KnowBe4 Tricked into Hiring a North Korean Hacker as IT Pro**
4.  **Fake LinkedIn job offers scam spreading More\_eggs backdoor**
5.  **Fake GitHub Repos Caught Dropping Malware as PoCs AGAIN!**
6.  **Employee Duped by AI-Generated CFO in $25.6M Deepfake Scam**
7.  **Fake PoC Script Tricked Researchers into Downloading VenomRAT**

N. Korean ‘FlexibleFerret’ Malware Hits macOS with Fake Zoom, Job Scams

Social engineering methods are being put to the test to distribute malware.

During the past several months there have been numerous malware campaigns that use a technique something referred to as “ClickFix”. It often consists of a fake CAPTCHA or similar traffic validation page where visitors are instructed to paste and execute code in order to proceed.

We have started to see ClickFix attacks more and more via malicious Google ads as well. This is in contrast to typical phishing pages where victims download a so-called installer that contains malware.

In a recent malvertising campaign targeting the Notion brand, we observed these two techniques used at play. It’s quite possible the threat actors were collecting metrics to determine which one of the two gave them the most conversions via malware installs.

This blog post details this campaign that ultimately delivered the DarkGate malware loader.

**Overview**

**Web traffic view**

**Delivery #1: PowerShell code via “ClickFix”****Malicious ad and social engineering**

Threat actors created a Google ad for the popular utility application Notion. The first time we clicked on the ad, we were redirected to a site showing a “Verify you are human” page, also known as Cloudflare Turnstile. Except this was not the real Cloudflare, and merely a social engineering trick.

The HTML source code was obfuscated to only show gibberish interlaced with Russian comments, which we later determined was Rot13, a letter substitution cipher. This was likely used to hide the offending code from prying eyes and network rules:

After checking the box to verify we are human, we see new instructions, “Verification steps”, that involve pressing a number of key combinations. _Windows + R_ launches the run dialog while _Ctrl + V_ will paste whatever is in the clipboard. Supposedly this code is part of the verification process, but instead when pressing Enter, the victim will run a malicious command:

**PowerShell and payload**

The code copied into the clipboard is actually a command line that runs PowerShell:

The Base64 encoded string retrieves the following code from _hxxps\[:\]//s2notion\[.\]com/in.php?action=1_:

This downloads a binary from _hxxps\[:\]//s2notion\[.\]com/in.php?action=2_. and runs its. That file contains an AutoIt script that launches from:

"c:\\temp\\test\\Autoit3.exe" c:\\temp\\test\\script.a3x

The following DarkGate configuration was extracted from it:

{'DarkGate': {'C2': \[\['155.138.149.77'\]\], 'unknown\_8': \['No'\], 'name': \['DarkGate'\], 'unknown\_12': \['R0ijS0qCVITtS0e6xeZ'\], 'unknown\_13': \['6'\], 'unknown\_14': \['Yes'\], 'port': \['80'\], 'startup\_persistence': \['Yes'\], 'unknown\_32': \['No'\], 'check\_display': \['Yes'\], 'check\_disk': \['No'\], 'min\_disk\_size': \['100'\], 'check\_ram': \['No'\], 'min\_ram\_size': \['4096'\], 'check\_xeon': \['No'\], 'unknown\_21': \['No'\], 'unknown\_23': \['Yes'\], 'unknown\_31': \['No'\], 'unknown\_24': \['N-traff'\], 'campaign\_id': \['user1'\], 'unknown\_26': \['No'\], 'xor\_key': \['sDcGdADE'\], 'unknown\_28': \['No'\], 'unknown\_29': \['2'\], 'unknown\_35': \['No'\], 'tabla': \['a2THNyA\]7u6Kiv$8k.F\*ZrO"do1wL9P0 3}eCGDY{XVzctg,&EhJfsx=n)mpQUqljIW5SRMb4B(\['\]}}

**Delivery #2: signed executable****Malicious ad and decoy site**

We saw this scenario after revisiting the malicious ad for a second time. Notice how the URL path is now including “/download/”.

This is the more traditional approach to malvertising for software downloads that we’ve seen for a while now. Victims download an executable after being tricked with a lookalike site. The file was found hosted on Github under the user profile _herawtisabela1992_:

This fake Notion installer was digitally signed (now revoked) by KDL CENTRAL LIMITED. Similar to the other binary mentioned in the first delivery technique, this one also extracts an AutoIt payload, with the same DarkGate configuration.

It’s interesting to note that the same GitHub user account previously distributed a backdoor called Warmcookie (aka Badspace) from:

raw\[.\]\]githubusercontent\[.\]com/herawtisabela1992/check/refs/heads/main/920836164\_x64.exe

**Conclusion**

We were not surprised to see the ClickFix social engineering attack here, but what made this campaign interesting what that it alternated between ClickFix and the typical file download.

It’s quite likely someone is tracking stats and comparing numbers to see which of the two delivery methods yields the most successful installs. If we had to put our money on it, we would bet that ClickFix is ahead. The file download technique remains effective, especially if the payload is digitally signed, but it could be relegated to second place in the near future.

Malwarebytes detects both payloads as Trojan.Dropper and Backdoor.DarkGate.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**Indicators of Compromise**

Malvertising infrastructure

notionbox\[.\]org  
s2notion\[.\]com

Payloads

6b6676267c70fbeb3257f0bb9bce1587f0bdec621238eb32dd9f84b2bcd7e3ea  
4fe8bbc88d7a8cc0eec24bd74951f1f00b5127e3899ae53de8dabd6ff417e6db

 ClickFix vs. traditional download in new DarkGate campaign 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have issued alerts about the presence of hidden functionality in Contec CMS8000 patient monitors and Epsimed MN-120 patient monitors.
The vulnerability, tracked as CVE-2025-0626, carries a CVSS v4 score of 7.7 on a scale of 10.0. The flaw, alongside two other issues, was reported to CISA

CISA and FDA Warn of Critical Backdoor in Contec CMS8000 Patient Monitors

UAC-0063: A Russian-linked threat actor targeting Central Asia and Europe with sophisticated cyberespionage campaigns, including weaponized documents, data…

UAC-0063: A Russian-linked threat actor targeting Central Asia and Europe with sophisticated cyberespionage campaigns, including weaponized documents, data exfiltration, and advanced malware.

Bitdefender has shared its latest research with Hackread.com ahead of its release, revealing an active espionage campaign by Russia APT28-linked threat actor UAC-0063. According to Bitdefender’s investigation, the actor is specifically targeting high-value entities in Central Asia and European countries like Germany, the UK, Romania, and the Netherlands in a multi-stage attack process involving various malware components and techniques.

UAC-0063 has been active since at least 2021 and has targeted a variety of organizations, including government entities, diplomatic missions, and private companies. In this campaign, the actor employs malicious Microsoft Word documents, a HATVIBE malware loader, and custom-built malware to infiltrate networks. Their operations are characterized by persistence, focusing on maintaining long-term access to compromised systems.

The attack starts with compromised Microsoft Word documents containing malicious macros that, when enabled by the user, deliver the initial malware payload (HATVIBE loader). HATVIBE is an HTA (HTML Application) script that downloads and executes further malicious code from the attacker’s command-and-control (C2) server.

A blurred malicious MS Word document used in the attack prompts users to enable macros to reveal its contents. However, once enabled, it also allows attackers to deploy a malicious payload. (Via Bitdefender)

DownExPyer is used extensively throughout the UAC-0063 attack chain. It is deployed after the initial infection stage, likely by the HATVIBE loader or other malware components. This Python-based malware establishes persistent communication with the C2 server, receives commands, and executes malicious actions on the infected system. 

PyPlunderPlug is a separate script designed to collect files from removable drives connected to the infected system. It focuses on specific file types and copies them to a staging location for potential exfiltration.

The attackers also deploy keyloggers to capture keystrokes entered by the victim, potentially revealing sensitive information like passwords and login credentials. The stolen data is then compressed into smaller archives to facilitate exfiltration and evade detection.

Researchers noted that the actor leverages previously compromised victims to spread the infection. This means the weaponised documents exfiltrated from one victim are used to attack other targets. Moreover, they create scheduled tasks to ensure the persistence of their malware on the compromised system. These tasks automatically execute the malicious code at regular intervals.

Researchers hinted at the involvement of the Russian government in this campaign.

UAC-0063’s arsenal “featuring sophisticated implants like DownExPyer and PyPlunderPlug, combined with well-crafted TTPs, demonstrates a clear focus on espionage and intelligence gathering. The targeting of government entities within specific regions aligns with _potential Russian strategic interests_,” Bitdefender researchers wrote in the blog post.

To mitigate the risks posed by UAC-0063, organizations should enhance their threat intelligence by continuously monitoring feeds from reputable sources, tracking C2 domains and implementing DNS-based blocking mechanisms to prevent network traffic from reaching these malicious domains. Implementing application whitelisting policies and deploying Intrusion Detection and Prevention Systems (IDPS) are crucial for strengthening endpoint and network security. 

1.  **Ukrainian Hackers Breach Email of APT28 Leader**
2.  **Russian Hackers Exploit Firefox 0-Days to Deploy Backdoor**
3.  **Russian Hackers Hit Mail Servers in Europe for Military Intel**
4.  **Russian APT28 Exploiting Windows Flaw with GooseEgg Tool**
5.  **Russian Hackers Shift Tactics, Target Victims with Paid Malware**

Russian UAC-0063 Targets Europe and Central Asia with Advanced Malware

The threat actor is using a sophisticated network of VPNs and proxies to centrally manage command-and-control servers from Pyongyang.

Source: DC Studio via Shutterstock

An ongoing investigation into recent attacks by North Korea's Lazarus group on cryptocurrency entities and software developers worldwide has uncovered a hidden administrative layer that the threat actor has been using to centrally manage the campaign's command-and-control (C2) infrastructure.

The investigation by researchers at SecurityScorecard showed Lazarus using the newly discovered infrastructure to maintain direct oversight over compromised systems, control payload delivery on them, and efficiently manage exfiltrated data. Significantly, the threat actor is using the same Web-based admin platform in other campaigns, including one involving the impersonation of IT workers, the security vendor found.

**Elaborate Operational Security**

Though the threat actor has implemented elaborate operational security measures to try and evade attribution, SecurityScorecard said it was able to tie the campaign and infrastructure to North Korea with a high degree of confidence.

"\[The\] analysis makes it evident that Lazarus was orchestrating a global operation targeting the cryptocurrency industry and developers worldwide," SecurityScorecard said in a report this week. "The campaigns resulted in hundreds of victims downloading and executing the payloads, while, in the background, the exfiltrated data was being siphoned back to Pyongyang."

SecurityScorecard discovered "Phantom Circuit," the name by which it is tracking Lazarus group's newly discovered admin layer, while conducting followup investigations involving "Operation 99," a malicious campaign that it recently uncovered targeting the cryptocurrency industry and developers globally. In the campaign, members of the threat group have been posing as recruiters on LinkedIn and other online job forums to get software developers to engage in spurious project tests and code reviews.

Victims who fall for the scam are directed to clone a seemingly benign but harmful open source GitHub repository. The cloned repository connects to Lazarus group's C2 infrastructure, which the threat actor has then been using to sneak data-stealing malware into the victim's environment. As part of the campaign, Lazarus group actors have been inserting obfuscated backdoors into legitimate software products — including authentication apps and cryptocurrency software — and trying to trick developers into running them in their environments. SecurityScorecard estimates that more than 230 victims have downloaded the malicious payloads in the North Korean threat actor's latest campaign.

**Dual Motivations**

"The motivation is twofold: cryptocurrency theft and infiltration of corporate networks," Ryan Sherstobitoff, senior vice president of threat intelligence at SecurityScorecard says. More often than not, developers who fall victim to Lazarus group lures end up executing the cloned code on their corporate devices and in their work environments. "The payloads are designed to exfiltrate development secrets," he says.

SecurityScorecard uncovered the Phantom Circuit admin layer when trying to understand how Lazarus actors were managing the information they stole via Operation 99. What the company discovered was Lazarus members using what it described as a sophisticated network of Astrill VPNs and proxies to access Operation 99's C2 infrastructure in a highly concealed manner. Astrill, which has VPN servers in 142 cities and 56 countries, has a reputation for allowing users to browse the Web anonymously and bypass Internet restrictions in countries with heavy censorship.

SecurityScorecard researchers found Lazarus members using Astrill VPNs to connect to an intermediate proxy network registered with a freight company in Hasan, Russia. They then used the proxy network to connect to Operation 99's C2 infrastructure in an elaborate attempt to try and hide their tracks. The C2 servers themselves were hosted on infrastructure registered with a most likely fictional "Stark Industries, LLC."

"\[SecurityScorecard\] assesses with high confidence that the IPs used to connect to the C2s were merely a relay/proxy and used to obfuscate the true origin," the company wrote in its report this week. "The adversary was establishing a secondary session after connecting to the VPN with the proxy, thus obscuring the true origin of where they actually connected from." SecureScorecard said it was able to identify a total of six distinct IP addresses in Pyongyang that the threat actor used to initiate the Astrill VPN connections to Operation 99's C2 network.

"Phantom Circuit \[is the\] operational network behind the scenes that leads directly back to Pyongyang," Sherstobitoff says. It is also the same proxy network, he adds, that Lazarus used in another campaign where members used stolen identities to impersonate IT workers to try and secure jobs at organizations they wanted to infiltrate.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Researchers Uncover Lazarus Group Admin Layer for C2 Servers

China-based DeepSeek has exploded in popularity, drawing greater scrutiny. Case in point: Security researchers found more than 1 million records, including user data and API keys, in an open database.

The Chinese generative artificial intelligence platform DeepSeek has had a meteoric rise this week, stoking rivalries and generating market pressure for United States–based AI companies, which in turn has invited scrutiny of the service. Amid the hype, researchers from the cloud security firm Wiz published findings on Wednesday that show that DeepSeek left one of its critical databases exposed on the internet, leaking system logs, user prompt submissions, and even users’ API authentication tokens—totaling more than 1 million records—to anyone who came across the database.

DeepSeek is a relatively new company and has been virtually unreachable to press and other organizations this week. In turn, the company did not immediately respond to WIRED’s request for comment about the exposure. The Wiz researchers say that they themselves were unsure about how to disclose their findings to the company and simply sent information about the discovery on Wednesday to every DeepSeek email address and LinkedIn profile they could find or guess. The researchers have yet to receive a reply, but within a half hour of their mass contact attempt, the database they found was locked down and became inaccessible to unauthorized users. It is unclear whether any malicious actors or authorized parties accessed or downloaded any of the data.

“The fact that mistakes happen is correct, but this is a dramatic mistake, because the effort level is very low and the access level that we got is very high,” Ami Luttwak, the CTO of Wiz tells WIRED. “I would say that it means that the service is not mature to be used with any sensitive data at all.”

Exposed databases that are accessible to anyone on the open internet are a long-standing problem that institutions and cloud providers have slowly worked to address. But the Wiz researchers note that the DeepSeek database they found was visible almost immediately with minimal scanning or probing.

“Usually when we find this kind of exposure, it’s in some neglected service that takes us hours to find—hours of scanning,” says Nir Ohfeld, the head of vulnerability research at Wiz. But this time, “here it was at the front door.” Ohfeld adds that the “technical difficulty of this vulnerability is the bare minimum.”

The researchers say that the trove they found appears to have been a type of open source database typically used for server analytics called a ClickHouse database. And the exposed information supported this, given that there were log files that contained the routes or paths users had taken through DeepSeek’s systems, the users’ prompts and other interactions with the service, and the API keys they had used to authenticate. The prompts the researchers saw were all in Chinese, but they note that it is possible the database also contained prompts in other languages. The researchers say they did the absolute minimum assessment needed to confirm their findings without unnecessarily compromising user privacy, but they speculate that it may even have been possible for a malicious actor to use such deep access to the database to move laterally into other DeepSeek systems and execute code in other parts of the company’s infrastructure.

“It's pretty shocking to build an AI model and leave the backdoor wide open from a security perspective,” says independent security researcher Jeremiah Fowler, who was not involved in the Wiz research but specializes in discovering exposed databases. “This type of operational data and the ability for anyone with an internet connection to access it and then manipulate it is a major risk to the organization and users.”

DeepSeek’s systems are seemingly designed to be very similar to OpenAI’s, the researchers told WIRED on Wednesday, perhaps to make it easier for new customers to transition to using DeepSeek without difficulty. The entire DeepSeek infrastructure appears to mimic OpenAI’s, they say, down to details like the format of the API keys.

The Wiz researchers say they don’t know if anyone else found the exposed database before they did, but it wouldn’t be surprising, given how simple it was to discover. Fowler, the independent researcher, also notes that the vulnerable database would have “definitely” been found quickly—if it wasn’t already—whether by other researchers or bad actors.

“I think this is a wake-up call for the wave of AI products and services we will see in the near future and how seriously they take cybersecurity,” he says.

DeepSeek has made a global impact over the past week, with millions of people flocking to the service and pushing it to the top of Apple’s and Google’s app stores. The resulting shock waves have wiped billions from the stock prices of US-based AI companies and spooked executives at firms across the country. On Wednesday, sources at OpenAI told the Financial Times that it was looking into DeepSeek’s alleged use of ChatGPT outputs to train its models.

At the same time, DeepSeek has increasingly drawn the attention of lawmakers and regulators around the world, who have started to ask questions about the company’s privacy policies, the impact of its censorship, and whether its Chinese ownership provides national security concerns.

Italy’s data protection regulator sent DeepSeek a series of questions asking about where it obtained its training data, if people’s personal information was included in this, and the firm’s legal grounding for using this information. As WIRED Italy reported, the DeepSeek app appeared to be unavailable to download within the country following the questions being sent.

DeepSeek’s Chinese connections also appear to be raising security concerns. At the end of last week, according to CNBC reporting, the US Navy issued an alert to its personnel warning them not to use DeepSeek’s services “in any capacity.” The email said Navy members of staff should not download, install, or use the model, and raised concerns of “potential security and ethical” issues.

However, despite the hype, the exposed data shows that almost all technologies relying on cloud-hosted databases can be vulnerable through simple security lapses. “AI is the new frontier in everything related to technology and cybersecurity,” Wiz’s Ohfeld says, “and still we see the same old vulnerabilities like databases left open on the internet.”

Tag

#backdoor